Monday, April 30, 2007

In last week's Brussel's IOS session called 'Metasystem - Slice & Dice', the group identified that a meaningful piece of work towards a 'Concordic' (love the word, I'm even using it to scold when my kids fight) metasystem would be to define the 'OpenID bootstrap to Liberty Alliance ID-WSF' (the scenario diagrammed here).

So what would this entail?

OpenID is (primarily) a front-channel SSO system, ID-WSF is (primarily) a back-channel attribute sharing system. The work being proposed would define how you segue from the former to the latter, e.g. how an OpenID RP, once an authenticated OpenID user has arrived, can transition into the ID-WSF world in order to discover and obtain other identity attributes of the user (this seen as an alternative mechanism to having the attributes delivered inline through the OpenID protocols).

To play in the ID-WSF world, the RP needs two things:

- the SOAP endpoint at which the relevant user's Discovery Service is located. The Discovery Service is like a personalized search engine for identity attributes. It's the Discovery Service that will be able to tell the RP where the user's various identity attributes (e.g. profile, calendar, presence, geolocation, wallet, social, VRM, etc) are located.- a security token that, if presented to the Discovery Service, will serve to identify both the user in question and the RP asking the question (so that permissions can be applied).

In Liberty's architecture, the container for the above pieces of information (there are other bits as well) is an <EndPointReference>, an XML data structure defined by the W3C's WS-Addressing spec.

If an OpenID RP can obtain the EPR for the user's Discovery Service, then it has the necessary information and credentials to start participating in the ID-WSF world because, with the DS EPR, it can search for and retrieve the EPRs of other identity services (like calendar, etc) that it is ultimately interested in.

So, the challenge for connecting OpenID and ID-WSF is 'simple', define how the OpenID RP can obtain the DS EPR and, so armed, start discovering and invoking the identity services of interest. Liberty has always referred to this step as the bootstrap, and so the title of this post.

In our Brussels' IOS session, we discussed two broad options for making this work.

Having the OpenID protocol response carry (in an extension) a URI at which the DS EPR could be retrieved.

Having the DS EPR available as part of the user's Yadis document.

The first is aligned with how the existing bootstrap from SAML SSO works, the second perhaps more consistent with the existing OpenID model. More later on the pros/cons of each.

On a flight from Brussels to Heathrow I noticed the following diagram in the back of BMI's in flight magazine.

It describes the permutations in the process for passengers connnecting at LHR - the options distinguished by where from & to the passengers are connecting.

I can see something similar for guiding deployers of interconnected identity systems.

For users arriving through SAML SSO and not arriving with 'carry-on' attributes, for connection to ID-WSF, please proceed to the bootstrap. Otherwise, please join the queue for Attribute Processing.

For users arriving through OpenID SSO and not arriving with 'carry-on' attributes, for connection to ID-WSF (either SOAP or AJAX bindings), please proceed to the bootstrap (either SAML & YADIS-based respectively). Otherwise, please join the queue for Attribute Processing.

Should any user arrive through WS-Federation SSO, please contact an agent on arrival for specific instructions. Expeditious processing will be enabled by removing all jewelry, belts, shoes, and inhibitions about cavity searches.

How tricky/tough/political would it be for proponents of various identity systems to agree on how to phrase a consent query, if not necessarily how/where/when to present such a query to users? As trivial as picking the text for

"X is asking for Y, wadda ya think?"

Beyond the simple yes/no, accept/deny, proceed/stop options (I've seen them all), there could be agreement on phrasing of the 'remember this decision' prompt and its options.

Alternatively (and far more work), how about a CCML 'Consent Context Markup Language' - a syntax describing how consent was obtained, comparable to SAML's Authentication Context and OpenID's Authentication Quality Extension for describing how authentication occurred.

Quick list of contexts.

Who obtained consent? For what?

How was the question phrased (as per above)?

How was the question presented, e.g. by directly asking the user when they were 'at' the provider, or indirectly a la Liberty's Interaction Service , or by direct user-mediation of the flow a la Cardspace or SAML ECP? (hopefully avoiding the complexity of describing authentication because there would be no temptation to try and say that one consent mechanism was 'better' than another for ranking.)

When was consent obtained, e.g. a priori, real-time?

Basic W5 stuff.

Of course, the question is who would care? It would be the provider making the access control decision for a particular bit of identity that would need to know about consent, so in what scenarios is it relevant for the details of said consent to be recorded? Audit would be one. Supporting a 'User Dashboard' where a user can see past identity transactions (and the specifics of the corresponding consent) would be another.

No identity system does this, so nobody should (you'd think) have resistance to collaborating.

The restaurant at which we had dinner last night in Brussels had an interesting 'washroom convergence model'. The Gals & Guys rooms' shared a single wash basin - this located in a hole in the wall between the two.

Art by Alex.

Was this a result of customer complaints about duplication & redundancy in sink infrastructure?

Tuesday, April 24, 2007

In yesterday's Liberty Alliance eGovernment workshop, a representative of an EU government made a distinction between 'claim' and 'assertion' - the impression he gave was that the semantics of the latter are stronger, e.g. anybody can make a claim, but you'll want to be sure about your facts before you make an assertion.

The 'Castle Team' mulled on this over iced tea at the day's end.

While the group agreed that there actually was no such distinction (claim and assertion used interchangeably) our discussion did hi-lite what seems to be a gap in today's taxonomy - this being the distinction between 3rd party and self-asserted identity.

The feeling was that something so fundamental as the relationship of the actor making the assertion to the subject of the assertion warranted more than merely an adjective. Additionally, we felt that the nature of the assertion, (i.e. positive or negative) should be explicit.

We came up with the following taxonomy

brag: an assertion made by X in which some attribute(s) of X is enhanced or exaggerated

boast: an assertion made by Y in which some attribute(s) of X is enhanced or exaggerated

pity: an assertion made by X in which some attribute(s) of X is accurately described

slag: an assertion made by Y in which some attribute(s) of X is accurately described

Feedback is welcome. We will have a call to review any such comments. Who knows, we might even attempt to account for it.

Thursday, April 19, 2007

Individual twits display on a Google map. Not only can you learn the most trivial details of what people are doing, but also where they are doing it!

As posts appear and disappear, the map repositions. Most fun is seeing the focus shift back and forth from one side of the globe to the other - from somebody in Singapore describing what they ate for breakfast to somebody in Hoboken describing what they ate for dinner.

I plan on getting up early tomorrow so I can see the 'breakfast horizon' pass over the globe - from miso soup in Japan, through the UK's black pudding, ending up with a West Coast fruit cup and Espresso. Now that's a global community.

Tuesday, April 17, 2007

Des Moines - In a freakish coincidence, two top-ranked identity protocols have died as they travelled separately to the 'Me 2.0' identity conference.

SAML, widely regarded as the top contender for federated identity management in the masters age group, perished when the single-engine Piper Cherokee it was travelling in crashed into a densely-wooded hillside soon after take-off from Topeka Municipal Airport. Forensic data experts are currently attempting to process the 'artifact' sent out by the pilot just before losing contact in order to determine the cause of the crash.

In a bizarre twist, one of SAML's colleagues, scheduled to fly on the same flight, cancelled at the last moment - narrowly avoiding even greater tragedy. Liberty Alliance, citing concerns over the insurance, declined to travel. Unconfirmed reports say that Shibboleth was also scheduled to be on the flight but was denied boarding after attending a frat party the night before.

The youthful OpenID, well-known on the celebrity party circuit, was seen by many as SAML's main competition. At almost exactly the same time as SAML's accident, OpenID died when the Kombi Van in which it was a passenger veered off the highway and crashed into a sign for a home security vendor. Toxicology results are pending. Also in the van was Attribute Exchange, who suffered severe injuries and is in critical condition at Topeka General Hospital awaiting a token transplant. Police attempts to contact OpenID's partner XRI are being hampered by uncertainty as to just exactly what it is.

Remaining identity specification WS-Federation, when contacted at her Redmond estate for comment, read from the following prepared announcement:

"This is sad, sad, news. Very sad. I personally am sad, saddened even. Even though they had both the market & mind share that I desperately wanted, and were crushing me in deployment numbers, I thought of both SAML and OpenID as true friends. I am completely confident that my friends, now dead and no longer a threat to my success, want me to continue on as before. Consequently, my 'response' to this tragedy is to say there will be 'No change'. Thank You."

When asked about the rumour that WS-Federation was seen in the vicinity of the aircraft maintenance shed in the hours before the flight, Detective Cameron Shaft of the Topeka Police Department replied 'We are investigating a number of promising leads at the moment. WS-Federation and her 10 lawyers are cooperating completely. No further comment.'

Thursday, April 12, 2007

I've had a Concept 2 indoor rower for over 15 years. It's been an on and off again part of my fitness program - an excellent full body workout but a hard sell compared to a nice run through the woods. Lately however, as my knees degrade, the low-impact nature of rowing has become more and more attractive.

As partial motivation to get back into it, I upgraded the rather basic speedometer that came with my rower to a new model with more bells and whistles for tracking workouts and progress.

One nice feature of the new monitor is the ability to connect to a PC through a USB cable so that rowing data (e.g. time, distance, pace, frequency of vomiting, etc) can be analyzed. Once on your PC, analysis can provide clear confirmation that your rowing technique and fitness level has plateaued as expected.

A software program called Row Pro takes advantage of this connectivity by providing real-time visuals of your workouts - as you row you see all your numbers as well as a nice animation of a boat on an scenic course. You can even race against a pre-programmed pace boat, a previous workout of your own, or somebody else through the Net.

Row Pro also allows you to upload your rowing workouts to an Concept 2 online logbook so that you can compare your results and distance to others. When I saw this option within Row Pro I expected that I'd be presented with the normal Web 2.0 style prompt of 'Please enter your email & password, we promise not to share with anybody'.

Instead all I had to enter was a 6-digit 'Ranking ID' that I had previously been given by Concept 2. No password necessary for the desktop software to enter rowing workouts to my online log.

I could really screw up a good rower if I were able to guess their Ranking ID as I'd be able to push my workouts into their log. Imagine the shock of some competitive 20-yr old female sculler to discover that she's actually a 43-yr old identity standards architect with poor technique and no stamina.

In practice, the CESG mechanism is that the investment company at which you've created an RESP makes a purchase on your behalf for the appropriate amount (i.e. 20% of whatever you've contributed yourself). You can see this in the pic of a transaction confirmation I received below

I plan on inviting 'Representative 216K' to my child's university convocation. If they can't attend I'm sure they can send a proxy.

Wednesday, April 04, 2007

"Dr Livingston I presume you are aware that it's been over 6 years since I invited you to join my LinkedIn network? Don't mean to sound stuffy old chap but you could have saved me this rather tiring trip if you had just given me the courtesy of a reply what?"

Yesterday evening, I used an online service to do the family's Canadian personal income taxes.

The mechanism for electronic filing of the returns to the Canada Revenue Agency captures both the benefits and issues of the 'user-mediated' channel for identity flow through the user-agent.

The process is illustrated here:

You download the special .tax file to your desktop, and then in a separate browser session, upload it to the CRA site. Repeat for spouse.

How very empowering! I am in complete control of transfer of our tax/identity information from the tax provider to the CRA. In fact, without my explicit consent and actions, the info just will not flow.

For me personally, I would have much preferred for the tax service provider to interact directly with the CRA to submit the files 'on my behalf' - saving me

the effort

the security risk of having such sensitive information sitting on my laptop.

Webkinz is all the rage for my kids and their friends. It's inane and senseless but I try not to judge it as simply juvenile because, well, Twitter.

From the Webkinz site

Webkinz pets are lovable plush pets that each come with a unique Secret Code. With it, you enter Webkinz World where you care for your virtual pet, answer trivia, earn KinzCash, and play the best kids games on the net!

The 'lovable plush pets' are $2 stuffed animals that sell, when you can find them, for over $10.

The animals are quickly forgotten - it's the 'Secret Codes' that the kids want. Without the code that comes with the pet you can't enter the fun exciting virtual world. Consequently, kids place great value in the codes. Search on the Web and you'll see a whole marketplace for them.

That explains why, when my 7-yr old son was playing at a friend's house the other day, and they were logging into the Webkinz site, my boy left the room when his friend entered the code (as reported to me by the Dad). I asked my son about it before he went to school today. I asked him if he left the room because he wanted to, or because his friend has asked him to. His reply

I wanted to, I never want to know somebody's else code in case something goes wrong and they might think I did it.